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Abstract: The security of lattice-based cryptosystems such as NTRU, GGH and Ajtai-Dwork essen- 
tially relies upon the intractability of computing a shortest non-zero lattice vector and a closest lattice 
vector to a given target vector in high dimensions. The best algorithms for these tasks are due to Kan- 
nan, and, though remarkably simple, their complexity estimates have not been improved since more 
than twenty years. Kannan's algorithm for solving the shortest vector problem is in particular crucial 
in Schnorr's celebrated block reduction algorithm, on which are based the best known attacks against 
the lattice-based encryption schemes mentioned above. Understanding precisely Kannan's algorithm 
is of prime importance for providing meaningful key-sizes. In this paper we improve the complexity 
analyses of Kannan's algorithms and discuss the possibility of improving the underlying enumeration 
strategy. 
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Amelioration de I'analyse de I'algorithme de Kannan pour le probleme 

du vecteur le plus court 



Resume : La securite des cryptosystemes bases sur les reseaux, tels NTRU, GGH, ou encore Ajtai- 
Dwork, repose essentiellement sur la difficulte a calculer un vecteur non nul le plus court, ou le plus 
proche d'un vecteur cible donne, en grande dimension. Les meilleurs algorithmes pour accomplir ces 
taches sent dus a Kannan, et, en depit de leur grande simplicite, I'analyse de leur complexite n'a pas 
ete amelioree depuis plus de 20 ans. L'algorithme de Kannan pour resoudre le probleme du vecteur 
le plus court est particulierement critique dans le celebre algorithme de Schnorr pour la reduction par 
blocs, sur lequel sont basees les meilleures attaques centre les schemas de chiffrement utilisant les 
reseaux mentionnees precedemment. Comprendre precisement la complexite de l'algorithme de Kan- 
nan est done crucial pour determiner des tallies de cle pertinentes. Dans ce travail, nous ameliorons les 
analyses de complexite des algorithmes de Kannan, et discutons la possibiUte d'ameUorer la strategic 
d' enumeration sous-jacente. 

Mots-cles : Reduction des reseaux, analyse de complexite, cryptosystemes bases sur les reseaux 
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1 Introduction 

A lattice L is a discrete subgroup of some M". Such an object can always be represented as the set 
of integer linear combinations of no more than n vectors bi, . . . , 6^. If these vectors are linearly 
independent, we say that they are a basis of the lattice L. The most famous algorithmic problem 
associated with lattices is the so-called Shortest Vector Problem (SVP). Its computational variant is 
to find a non-zero lattice vector of smallest Euclidean length — this length being the minimum A(L) 
of the lattice — given a basis of the lattice. Its decisional variant is known to be NP-hard under 
randomised reductions H, even if one only asks for a vector whose length is no more than 2*^^°^'') 
times the length of a shortest vector lfT2l (for any e > 0). 

SVP is of prime importance in cryptography since a now quite large family of public -key cryp- 
tosystems rely more or less on it. The Ajtai-Dwork cryptosystem [4] relies on d^-SVP for some c > 0, 
where /((i)-SVP is the problem of finding the shortest non-zero vector in the lattice L, knowing 
that it is unique in the sense that any vector that is of length less than f{d) ■ A(L) is parallel to it. 
The GGH cryptosystem lITTl relies on special instances of the Closest Vector Problem (CVP), a non- 
homogeneous version of SVP. Finally, one strongly suspects that in NTRU |15| - the only realistic 
lattice-based cryptosystem nowadays, the private key can be read on the coordinates of a shortest 
vector of the Coppersmith-Shamir lattice lUl. The best known generic attacks on these encryption 
schemes are based on solving SVP. It is therefore highly important to know precisely what complex- 
ity is achievable, both in theory and practice, in particular to select meaningful key-sizes. 

In practice, when one wants to obtain good approximations of the lattice minimum, one uses 
Schnorr's block-based algorithms [,23.24 1 . These algorithms use internally either Kannan's algorithm, 
or the lattice point enumeration procedure on which it relies. This is by far the most time-consuming 
part of these algorithms. In fact, the corresponding routine in Shoup's NTL ll25l relies on a much 
slower algorithm described in fM\ (2*^^'^^) instead of dP^'^^). The problem is that the enumeration is 
performed on a basis which is not sufficiently pre-processed (only LLL-reduced). It works well in 
low dimension, but it can be checked that it is sub-optimal even in moderate dimensions (say 40): 
the efficiency gap between enumerating from an LLL-reduced basis and from an HKZ-reduced basis 
shows that there is much room for improving the strategy of f24l by pre-processing the basis before 
starting the enumeration. 

Two main algorithms are known for solving SVP. The first one, which is deterministic, is based on 
the exhaustive enumeration of lattice points within a small convex set. It is known as Fincke-Pohst's 
enumeration algorithm ||9l in the algorithmic number theory community. In the cryptography commu- 
nity, it is known as Kannan's algorithm [16], which is quite similar to the one of Fincke and Pohst. 
There are two main differences between both: firstly, in Kannan's algorithm, a long pre-computation 
on the basis is performed before starting the enumeration process; secondly, Kannan enumerates points 
in a hyper-parallelepiped whereas Fincke and Pohst do it in an hyper-ellipsoid contained in Kannan's 
hyper-parallelepiped - though it may be that Kannan chose the hyper-parallelepiped in order to sim- 
plify the complexity analysis. Kannan obtained a d'^+^i'^) complexity bound (in all the complexity 
bounds mentioned in the introduction, there is an implicit multiplicative factor that is polynomial in 
the bit-size of the input). In 1985, Helfrich |[T3l refined Kannan's analysis, and obtained a d'^/'^+oid-) 
complexity bound. On the other hand, Ajtai, Kumar and Sivakumar (5] described a probabilistic al- 
gorithm of complexity 2'^^'^\ The best exponent constant is likely to be small. Nevertheless, unless a 
breakthrough modification is introduced, this algorithm is bound to remain impractical even in moder- 
ate dimension since it also requires an exponential space (at least 2'^ in dimension d). On the contrary, 
the deterministic algorithm of Kannan requires a polynomial space. 
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Our main result is to lower Helfricli's complexity bound on Kannan's algorithm, from (f2+°('*) 
d?-^''^ to (i25+°('^) (^o.i84 d+o(d) jj^jg jj^^y explain why Kannan's algorithm is tractable even in 
moderate dimensions (higher than 40). Our analysis can also be adapted to Kannan's algorithm that 
solves the Closest Vector Problem: it decreases Helfrich's complexity bound from df^+^W to d'^/'^+^W . 
The complexity improvement on Kannan's SVP algorithm directly provides better worst-case effi- 
ciency/quality trade-offs in Schnorr's block-based algorithms II23I24I101 . 

It must be noted that if one follows our analysis step by step, the derived o{d) may be large 
when evaluated for some practical d: the constants hidden in the "o(d)" are improvable (for some of 
them it may be easy, for others it is probably much harder). No effort was made to improve them, 
and we believe that it would have complicated the proof with irrelevant details. In fact, most of our 
analysis consists of estimating the number of lattice points within convex bodies, and showing that the 
approximation by the volume is valid. By replacing this discretization by heuristic volume estimates, 
one obtains very small heuristic hidden constants. 

Our complexity improvement is based on a fairly simple idea. It is equivalent to generate all lattice 
points within a ball and to generate all integer points within an ellipsoid (consider the ellipsoid defined 
by the quadratic form naturally associated with the given lattice basis). Fincke and Pohst noticed that 
it was more efficient to work with the ellipsoid than to consider a parallelepiped containing it: indeed, 
when the dimension increases, the ratio of the two volumes shrinks to very quickly. Amazingly, in his 
analysis, instead of considering the ellipsoid, Kannan bounds the volume of the parallelepiped. Using 
rather involved technicalities, we bound the volume of the ellipsoid (in fact, the number of integer 
points within it). Some parts of our proof could be of independent interest. For example, we show that 
for any Hermite-Korkine-Zolotarev-reduced (HKZ-reduced for short) lattice basis . . . , 5^), and 
any subset / of {1, . . . , d}, we have: 



where (b*)j<d is the Gram-Schmidt orthogonalisation of the basis . . . , 6^). This inequality gen- 
eralises the results of [23 ] on the quality of HKZ-reduced bases. 

Road-Map of the Paper. In Section |2j we recall some basic definitions and properties on lattice 
reduction. Section |3]is devoted to the description of Kannan's algorithm and Section |4]to its complex- 
ity analysis. In Section[5l we give without much detail our sibling result on CVP, as well as very direct 
consequences of our result for Schnorr's block-based algorithms. 

Notation. All logarithms are natural logarithms, i.e., log(e) = 1. Let || • || and (•, •) be the Euclidean 
norm and inner product of M". Bold variables are vectors. We use the bit complexity model. The 
notation V{ni, . . . , rii) means (ni • . . . • UiY for some constant c > 0. If x is real, we denote by [x] 
a closest integer to it (with any convention for making it unique) and we define the centred fractional 
part {x} as X — [x]. We use the notation frac(x) to denote the classical fractional part of x, i.e., the 
quantity x — [x\. Finally, for any integers a and b, we define [a, b} as [a, b] n Z. 

2 Background on Lattice Reduction 

We assume the reader is familiar with the geometry of numbers and its algorithmic aspects. Complete 
introductions to Euclidean lattices algorithmic problems can be found in ll20l and |[22l . 

Gram-Schmidt orthogonalisation. Let bi,...,bd be linearly independent vectors. Their Gram- 
Schmidt orthogonalisation (GSO) b|, . . . , foj^ is the orthogonal family defined recursively as follows: 
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the vector b* is the component of the vector hi which is orthogonal to the linear span of the vec- 
tors 5i, . . . , hi I. We have h* = hi — YlX=i l^ijK where fiij = -jf^-^- For i < d we let /ij^j = 1. 

' 1 1 1 1 ' 

Notice that the GSO family depends on the order of the vectors. If the fej's are integer vectors, the fa*'s 
and the /Ujj 's are rational. 

Lattice volume. The volume of a lattice L is defined as det(L) = Y[i=i WKW^ where the &j's are any 
basis of L. It does not depend on the choice of the basis of L and can be interpreted as the geometric 
volume of the parallelepiped naturally spanned by the basis vectors. 

Minimum and SVP. Another important lattice invariant is the minimum. The minimum A(L) is the 
radius of the smallest closed ball centred at the origin containing at least one non-zero lattice vec- 
tor. The most famous lattice problem is the shortest vector problem. We give here its computational 
variant: given a basis of a lattice L, find a lattice vector whose norm is exactly \{L). 

CVP. We give here the computational variant of the closest vector problem: given a basis of a lattice L 
and a target vector in the real span of L, find a closest vector of L to the target vector. 

The volume and the minimum of a lattice cannot behave independently. Hermite lfT4l was the 
first to bound the ratio f^^^^^^i/d ^ function of the dimension only, but his bound was later on 
greatly improved by Minkowski in his Geometric der Zahlen ||2TI . Hermite' s constant is defined 
as the supremum over d dimensional lattices L of the ratio -j^^^^ji- In particular, we have 7^ < 
(see [18]), which we will refer to as Minkowski's theorem. Unfortunately, the proof of Minkowski's 
theorem is not constructive. In practice, one often starts with a lattice basis, and tries to improve its 
quality. This process is called lattice reduction. The most usual ones are probably the LLL and HKZ 
reductions. Before defining them, we need the concept of size-reduction. 

Size-reduction. A basis (bi,...,^^;) is size-reduced if its GSO family satisfies < 1/2 for 

all 1 < j < i < d. 

HKZ-reduction. A basis (61, ... , h^) is said to be Hermite-Korkine-Zolotarev-reduced if it is size- 
reduced, the vector bi reaches the first lattice minimum, and the projections of the (6i)i>2's orthog- 
onally to the vector hi are an HKZ-reduced basis. The following immediately follows from this def- 
inition and Minkowski's theorem. It is the sole property on HKZ-reduced bases that we will use: 



Lemma 1. If {bi, . . . , 6^) is HKZ-reduced, then for any i < d, we have: 

HKZ-reduction is very strong, but very expensive to compute. On the contrary, LLL-reduction is 
fairly cheap, but an LLL-reduced basis is of much lower quality. 

LLL-reduction [17J. A basis (&i, . . . , 6^) is LLL-reduced if it is size-reduced and if its GSO satisfies 
the {d — 1) Lovasz conditions: | • ||&*_]^||^ < \\h% + The LLL-reduction implies that 

the norms ||&^||, . . . , of the GSO vectors never drop too fast: intuitively, the vectors are not far 
from being orthogonal. Such bases have useful properties, like providing exponential approximations 
to SVP and CVP. In particular, their first vector is relatively short. More precisely: 
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Theorem 1 ( 1171 ). Let (bi, . . . , hd) be an LLL-reduced basis of a lattice L. Then we have ||bi|| < 
2'^ ■ (detL)^/'^. Moreover, there exists an algorithm that takes as input any set of integer vectors 
and outputs in deterministic polynomial time an LLL-reduced basis of the lattice they span. 

In the following, we will also need the fact that if the set of vectors given as input to the LLL 
algorithm starts with a shortest non-zero lattice vector, then this vector is not changed during the 
execution of the algorithm: the output basis starts with the same vector. 

3 Kaiman's SVP Algorithm 

Kannan's SVP algorithm fT6l relies on multiple calls to the so-called short lattice points enumeration 
procedure. The latter aims at computing all vectors of a given lattice that are in the hyper-sphere 
centred in and some prescribed radius. Variants of the enumeration procedure are described in yj. 

3.1 Short Lattice Points Enumeration 

Let (bi, . . . ,bd) be a basis of a lattice L <Z 1/^ and let A G Z. Our goal is to find all lattice 
vectors Yl'i=i ^i^i squared Euclidean norm < A. The enumeration works as follows. Suppose 
that llX^j Xjbjll^ < A for some integers Xj's. Then, by considering the components of the vec- 
tor Xihi on each of the 6*'s, we obtain: 

{xdf ■ mf < A, 

{xd-i + l^d,d-iXdf ■ \\bd-if < A- {xdf ■ llbrff , 

d 

j=i+i 

d 

bif < A-Y,h^ 

where /j = (xj + Ylj>i Xjl^j,i)'^ ' ll^l IP- The algorithm of Figure [T] mimics the equations above. It 
is easy to see that the bit-cost of this algorithm is bounded by the number of loop iterations times a 
polynomial in the bit-size of the input. We will prove that if the input basis . . . , 5^) is sufficiently 
reduced and if j4 = then the number of loop iterations is d2^~^°^'^\ 

3.2 Solving SVP 

To solve SVP, Kannan provides an algorithm that computes HKZ-reduced bases, see Figure |2] The 
cost of the enumeration procedure dominates the overall cost and mostly depends on the quality (i.e., 
the slow decrease of the ||&*||'s) of the input basis. The main idea of Kannan's algorithm is thus to 
spend a lot of time pre-computing a basis of excellent quality before calling the enumeration proce- 
dure. More precisely, it pre-computes a basis which satisfies the following definition: 

Definition 1 (Quasi-HKZ-Reduction). A basis (bi, . . . , bd) is quasi-HKZ-reduced if it is size-red- 
uced, i/ 1 1^2 II — 11^1 11/2 '^nd if once projected orthogonally to hi, the other hi 's are HKZ-reduced. 



Xi -\- ^ ^ flj^iXj 

j=i+i 



Xi + ^ ^ l^jji'^j 
3=2 
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Input: An integral lattice basis (61 , . . . , bd), a bound ^ £ Z. 
Output: All vectors in . . . , hd) that are of squared norm < A. 

1. Compute the rational jii^j's and ||6*||^'s. 

2. x -0,l -0,S -^. 

3. i:=l. While i < d, do 

4. /,:=(a;. + E,>.%W,0'll'':ir- 

5. If i = 1 and E^^^ < A, then S'—S' U {x}, xv.=Xi_ + 1. 

6. Ifi ^ 1 andX;3>i'3 < ^.then 



Output: An HKZ-reduced basis of the same lattice. 

1. LLL-reduce the basis (61, ... , ba). 

2. Do 

3. Compute the projections (6i)i>2 of the b^'s orthogonally to bi. 

4. HKZ-reduce the [d — 1) -dimensional basis {b'2, . . . , b'^). 

5. Extend the obtained (6i)i>2's into vectors of L by adding to them rational 
multiples of 61, in such a way that we have \ < 1/2 for any i> 1. 

6. While (61, . . . , bd) is not quasi-HKZ-reduced. 

7. Call the enumeration procedure to find all lattice vectors of length < ||bi |1. 
Let b() be a shortest non-zero vector among them. 

8. (6i,...,6d):=LLL(6o,...,6d). 

9. Compute the projections (6i)i>2's of the 6i's orthogonally to the vector 61. 

10. HKZ-reduce the (d — 1) -dimensional basis {b'2, . . . , b'j). 

11. Extend the obtained (bi)i>2's into vectors of L by adding to them rational 
multiples of 61, in such a way that we have \tn,i \ < 1/2 for any i > 1. 




Fig. 1. The Enumeration Algorithm. 



Input: An integer lattice basis (b 



bd). 



Fig. 2. Kannan's SVP Algorithm. 
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Several comments need to be made on the algorithm of Figure |2l Steps 4 and 10 are recursive 
calls. Nevertheless, one should be careful because the b'/s are rational vectors, whereas the input of the 
algorithm must be integral. One must therefore scale the vectors by a common factor. Steps 5 and 1 1 
can be performed for example by expressing the reduced basis vectors as integer linear combinations 
of the initial ones, using these coefficients to recover lattice vectors and subtracting a correct multiple 
of the vector bi. In Step 7, it is alway possible to choose such a vector 6o> since this enumeration 
always provides non-zero solutions (the vector 6i is a one of them). 



3.3 Cost of Kannan's SVP Solver 

We recall briefly Helfrich's complexity analysis fVS\ of Kannan's algorithm and explain our com- 
plexity improvement. Let C{d,n,B)he. the worst-case complexity of the algorithm of Figure [2] when 
given as input a d-dimensional basis which is embedded in and whose coefficients are smaller 
than B in absolute value. Kannan lfT6]| and Helfrich llT3l show the following properties: 

- It computes an HKZ-reduced basis of the lattice spanned by the input vectors. 

- All arithmetic operations performed during the execution are of cost V{d, n, log B). This implies 
that the cost C{d, n, B) can be bounded by C{d) • 'P(log B, n) for some function C{d). 

- The number of iterations of the loop of Steps 2-6 is bounded by 0(1) + log d. 

- The cost of the call to the enumeration procedure at Step 7 is bounded by ^(log B,n) ■ cfi/'^+oW _ 

From these properties and those of the LLL algorithm as recalled in the previous section, it is easy 
to obtain the following equation: 

C{d) < (0(1) +logd)(C(d- 1) +P((i) 

One can then derive the bound C{d, B, n) < V{log B, n) ■ 

The main result of this paper is to improve this complexity upper bound to ^(log B, n) 
In fact, we show the following: 

Theorem 2. Given as inputs a quasi-HKZ-reduced basis [bi, . . . ,bd) and A = 1 1 bi | the number of 
loop iterations during the execution of the enumeration algorithm as described in Figure\l\is bounded 
by V{\ogB) ■ • d-e, where B = maxj \\bi\\. As a consequence, given a d-dimensional basis 

of n-dimensional vectors whose entries are integers with absolute values < B, one can compute an 
HKZ-reduced basis of the lattice they span in deterministic time 'P(log B, n) ■ d^^°^'^\ 



4 Complexity of the Enumeration Procedure 

This section is devoted to proving Theorem |2l 



4.1 From the Enumeration Procedure to Integer Points in Hyper-ellipsoids 

In this subsection, we do not assume anything on the input basis (bi, . . . ,bd) and on the input 
bound A. Up to some polynomial in d and log B, the complexity of the enumeration procedure of 
Figure[I]is the number of loop iterations. This number of iterations is itself bounded by: 



E 

i=l 



{xi,... ,Xd) G Z 



d-i+l 



x,b^ 



«||2 



< A 
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where bj"^ = bj — J2k<i l'-j,k^k vector bj once projected orthogonally to the linear span of 

the vectors 61, ... , bi i. Indeed, the truncated coordinate (xj, . . . , Xd) is either a valid one, i.e., we 
have I Yl'j=i ^j^^j^ 11^ < or — 1, . . . , x^) is a valid one, or (xj+i, . . . , Xd) is a valid one. In fact, 
if (xj, . . . , Xd) is a valid truncated coordinate, only two non- valid ones related to that one can possibly 
be considered during the execution of the algorithm: (xj + 1, . . . , Xd) and {xi-i,Xi . . . , Xd) for at 
most one integer Xj_i. 

Consider the quantity |(xi, . . . , x^) G || X]j=i ^i^j*'' IP < ^||. By applying the change 

of variable xj ^ Xj — J2k>j l^kjXk^ , we obtain: 



5^|{(x„...,x,)GZ^-^+i , \\Y,Xjbff<A}\ 

i<d j>i 

< ^ |{(x,, ...,xd)e z-^-^+i, ^(x, + l^k,,xk? ■ \\b*f < A}\ 

i<d j>i k>j 

i<d j>i k>j 

If X is an integer and e G [—1/2, 1/2], then we have the relation (x + e)^ > x'^/A. If x = 0, 
this is obvious, and otherwise we use the inequality |e| < 1/2 < |x|/2. As a consequence, up to a 
polynomial factor, the complexity of the enumeration is bounded by: 



E 

i<d 



ixi,...,xd) G Z''-'+\Yx]-\\b*f <AA 



For any i < d,we define the ellipsoid £"j = . . . , yt^) G ^^^,Y1 



'j>iVj II- J 



■ ||b*|P < 4^|, as 



well as the quantity Ni = \£i n 'Z'^ *'*'^|. We want to bound the sum of the A^j's. We now fix some 
index i. The following sequence of relations is inspired from iflQl Lemma 1]. 



z - X] ^£^ixi^ . . . , Xd) < exp I I 1 - ^ 

(x,,...,Xd)ezd-«+i \ \ j>i 




exp — X 



4^ 



where ©(t) = ^^.^^ exp(-tx2) is defined for t > 0. Notice that &{t) = 1 + 2 X]x>i exp(-tx2) < 
1 + 2 exp{-tx^)dx = 1 + . Hence < for t < 1 and ©(i) < 1 + for t > 1. 

As a consequence, we have: 



Ni < (4e(l + V^))'^- JJmax (1, 



A 



Vd\\b*\ 



(1) 



One thus concludes that the cost of the enumeration procedure is bounded by: 



V{n, log A, log B) ■ 2°^'^'^ ■ max 



Ap 



/cIMI I (Vd)l^l a./ lib* 
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4.2 The Case of Quasi-HKZ-Reduced Bases 

We know suppose that A = ||&i|p and that the input basis (61, ... , bd) is quasi-HKZ-reduced. Our 
first step is to strengthen the quasi-HKZ-reducedness hypothesis to an HKZ-reducedness hypothesis. 
Let / c [1, dj. If 1 ^ /, then, because of the quasi-HKZ-reducedness assumption: 

(^)|^in.e/ii&:ii (Vd)i^in,,,/ii&iir 

Otherwise if 1 G /, then we have, by removing \\bW\ from the product nie/-{i} ll^i II' 

||bi||l^l ^ , ||b*2ll'""' 

n.e/ 11^:11 {^dy\-^x\.ei-{i}m\\' 

As a consequence, in order to obtain Theorem |2j it suffices to prove the following: 
Theorem 3. Let bi, . . . ,bii be an HKZ-reduced basis. Let Id [1, (ij. Then, 




4.3 A Property on the Geometry of HKZ-Reduced Bases 

In this section, we prove Theorem [3l which is the last missing part to obtain the announced result. 
Some parts of the proof are fairly technical and have been postponed to the appendix (this is the 
case for the proofs of Lemmata [2]-[5]l. As a guide, the reader should consider the typical case where 
{bi)i<i<d is an HKZ-reduced basis for which (||b*||)i is a non-increasing sequence. In that case, the 
shape of the interval / that is provided by Equation([r|) is much simpler: it is an interval \i, d\ starting 
at some index i. Lemmata |4] and |2] (which should thus be considered as the core of the proof) and the 
fact that xlogx > — 1/e for x G [0, 1] are sufficient to deal with such simple intervals, and thus to 
provide the result. 

The difficulties arise when the shape of the set / under study becomes more complicated. Though 
the proof is technically quite involved, the strategy itself can be summed up in a few words. We 
split our HKZ-reduced basis into blocks (defined by the expression of / as a union of intervals), i.e., 
groups of consecutive vectors hi, . . . , bj-i such that i, . . . ,k — 1 ^ I and k, . . . ,j — 1 d I. The 
former vectors will be the "large ones", and the latter the "small ones". Over each block. Lemma |4] 
relates the average size of the small vectors to the average size of the whole block. We consider the 
blocks by decreasing indices (in LemmaO, and use an amortised analysis to combine finely the local 
behaviours on blocks to obtain a global bound. This recombination is extremely tight, and in order to 
get the desired bound we use "parts of vectors" (non-integral powers of them). This is why we need to 
introduce the fr (in Definition |3]). A final convexity argument provided by Lemma|3]gives the result. 

In the sequel, (bj)i<j<rf is an HKZ-reduced basis of a lattice L of dimension d> 2. 

1 

Definition!. For any I C ll,dj, we define ttj = (Hje/ ll^ill)^- Moreover, if k G Ij, we 

define Faik) = Ui=l-k^lli- 

For technical purposes in the proof of Lemma[6l we also need the following definition. 
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Definition 3. Ifl<a<b<d, where a is real and b is an integer, we define: 



TTI 



a,b] 




, I I JL \b+l a (;,+ l-[aJ)(l-a+[aJ) (b- [gj ) (g- [gj ) 

1-+H. -Q ||5*||| =(^jLaJ,^>l) iHH+m) 

i=[a\+l 



Note that Definition [3] naturally extends Definition|2l since vfj^^] = TT^a,b} when a is an integer. 
We need estimates on the order of magnitude of F, and a technical lemma allowing us to recom- 
bine such estimates. Basically, the following lemma is a precise version of the identity: 

logrd(A;)ss/ -logxdx« < — - log - — -. 

Jx=d-k 2 4 2 d-k 

Lemma 2. For all 1 < k < d, we have F^ik) < \fdl'^^ 

The following lemma derives from the convexity of the function x ^ x log x. 

Lemma 3. Let A > 1, and define F/^{k,d) = A~^^°^d. We have, for all integer t, for all inte- 
gers ki, . . . ,kt and di, . . . ,dt such that 1 < ki < di for all i <t, 

i<t \ i<t i<t 



We now give an "averaged" version of 11231 Lemma 4]. For completeness, we give its proof in 
appendix. This provides the result claimed in Theorem[3]for any interval / = p, jj , for any i < j < d. 



Lemma 4. For all k £ lO,d — 1}, we have 

vrii,fci < (Fdik))''/'' ■ TT^k+iAJ and Tr^k+i^} > (^d(^))"' • (detL)'/'' > Vd'"^"^ (det L)'/'' . 

The following lemma extends Lemma|4]to the case where k is not necessarily an integer. Its proof 
is conceptually simple, but involves rather heavy elementary calculus. It would be simpler to obtain 
it with a relaxation factor. The result is nevertheless worth the effort since the shape of the bound is 
extremely tractable in the sequel. 

d~X2 

Lemma 5. Ifl<xi<X2<d are real and in [1, d), then vfj^^.d] — ''"^^ • 

We prove Theorem [3] by induction on the number of intervals occurring in the expression of the 
set I as a union of intervals. The following lemma is the induction step. This is a recombination step, 
where we join one block (between the indices 1 and v, the "small vectors" being those between u + 1 
and v) to one or more already considered blocks on its right. An important point is to ensure that the 
densities 6i defined below actually decrease. 

Lemma 6. Let . . . , bd) be an HKZ-reduced basis. Let v G [2, d\. Id + 1, and u G [l, v\. 
Assume that: 

4">n«1.w.r^"'"°"')- 



12 



Guillaume Hanrot, Damien Stehle 



where li = I [oj + 1, ai+ij , di = is the density of I in [aj + 1, aj+ij, and the integers t 

and ai's, and the densities 5i satisfy t > 1, v = ai < a2 < ■ ■ ■ < at < d and 1 > 6i > . . . > 
St-i > 0. 

Then, we have 



where I' = [[« + 1, fj U /, I[ = I' Ci [a'j + 1, a'j_,_]^] , 5^ = ^, ' and the integers t' and a[ 's, and 
the densities 5[ satisfy t' > \, {) = a'l < a'2 < ■ ■ ■ < a'^, < d and 1 > 5'i > . . . > 5[i_^> 

Proof. Assume first that > 5i, Then, thanks to Lemma IH 

we are done with t' = t + I, a'l = 1, a'j^ = au-i, 6'i = 5^ = 5k-i- 

Otherwise, we let Ai > be such that -^jE^ = 61 = ^ , where the first equahty defines Ai 

and the second one follows. Note that this implies: 

Then, we have, by using Lemma [51 

-I |[n+l,Dj 1 

log Si 

i<t 



^ ^ i<t 



If ^ Q^^^^^ > qII^Ij.^ , we conclude as in the first step, putting t' = t, a[ = 1, a'^ = for k > 2, 
61 = {v — u + \Ii\) / a2, = 6k foT k > 2. If this is not the case, we let A2 be such that: 

t;-n + |/i| ^ v-u + \lnlai + l,a3}\ 

=02 = r . 

a2 — A2 as — A2 

Notice that since 61 = ^ > 52, we have A2 < Ai. A similar sequence of inequalities, using 

Lemma[5]to relate vf[Ai,02] "-^ ^[A2,a2]' l^^^s to the following lower bound on 7r[i ': 

.^_„+|7nIai+l,a3ll ri(^-n+|7nK+1.^3ll)log ''-"+ll':L";; + ^-"^'l \ ^/ |7,| H/«|log5, 

We can proceed in the same way, constructing A2 > A3 > Suppose first that the construction 

stops at some point. We have: 

J — \ P,Ofc+i] / 11 V K+i.o^i+iI / 

\ / i=k+l 
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We can then conclude, by putting t' = t — k + 1, a'l = l,a^ = Ujj^k-i for 3 > 1> "^'i = 1-^' H 
[[l,aA:+il l/afc+1, S'j = 5j+k-i for j > 1. 
Otherwise, we end up with: 



|/'|loi 



to 



[At_2,Ot-i] 

,,,,, l-f'nli.Q, -iH 



which we can apply Lemma[5]to obtain tTj, > vr^ • \/d °^ , which is again in 

the desired form, with t' = 2, a[ = 1, a'2 = at_i, = '^'^i^;"^'"'^' □ 
Theorem [3] now follows from successive applications of Lemma [6l as follows: 

Proof of Theorem |3l Lemma [6] gives us, by induction on the size of the considered set /, that for all 

/ C ll,dj, we have: 



4 ' > IT <\i r ^ 

.... - l^'l 

> > 0. By using 

with A:=Vd, ki:= and dj:=aj+i — Oj, we immediately obtain: 



where li = I n [aj + l,aj+i]], and the integers t and Oj's, and the densities (5j = sat- 
isfy t > 1, = «! < a2 < • • • < a* < and 1 > 61 > . . . > 6t-i > 0. By using Lemma [3] 



4" >(v5""°'-^)^(n 



For convenience, we define 5t = 0. Because of the definition of the a^'s, we have: 

i<t j<t i<ti<j<t 

n^N+i,a-+i] = n (^[i,«j+iL 

*<i / j<t 

By using t — 1 times Minkowski's theorem, we obtain that: 



The final inequality of the theorem is just the fact that x h-^ x log(d/x) is maximal for x = d/e. 



□ 



Note that if max I < d,we can apply the result to the HKZ-reduced basis (61 , . . . , 6max/)- In the 
case where / = {i}, we recover the result of 1231 that 

\\b*\\>iVi)-'°^'-^-\\h\\. (2) 

Still, our result is significantly better to what would have been obtained by combining several relations 
of the type of Equation when | /| grows large. For instance, for a worst case of our analysis where / 
is roughly the interval [d{l — l/e),d], this strategy would yield a lower bound of the form ||°'/'^ • 

which is worse than Helfrich's analysis. 
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5 CVP and Other Related Problems 

In this section, we describe what can be obtained by adapting our technique to the Closest Vector 
Problem and other problems related to strong lattice reduction. We only describe the proofs at a high 
level, since they are relatively straightforward. 

In CVP, we are given a basis (&i , . . . , b^) and a target vector t, and we look for a lattice vector that 
is closest to t. The first step of Kannan's CVP algorithm is to HKZ-reduce the bj's. Then one adapts 
the enumeration algorithm of Figure[T]for CVP. For the sake of simplicity, we assume that || is the 
largest of the ||'s (we refer to Kannan's proof |[T6]| for the general case). By using Babai's nearest 
hyperplane algorithm 1*6], we see that there is a lattice vector b at distance less than Vd ■ \\bi\\ of 
the target vector t. As a consequence, if we take A = d ■ \\hi\\ in the adaptation of the enumeration 
procedure, we are sure to find a solution. The analysis then reduces (at the level of Equation (dJ) to 

lib 11*^ 

bound the ratio o which can be done with Minkowski's theorem. 

Theorem 4. Given a basis (6i, . . . , b^) and a target vector t, all of them in R" and with integer 
coordinates whose absolute values are smaller than some B, one can find all vectors in the lattice 
spanned by the bi 's that are closest to t in deterministic time 'P(log B, n) ■ d^^f^+oW _ 

The best deterministic complexity bound previously known for this problem was 'P(log B, n) ■ 
^d+o{d) (^gg ifTsTTl ). Our result can also be adapted to enumerating all vectors of a lattice that are of 
length below a prescribed bound, which is in particular useful in the context of computing lattice theta 
series. 

Another important consequence of our analysis is a significant worst-case bound improvement of 
Schnorr's block-based strategy |[23l to compute relatively short vectors. More precisely, if we take the 
bounds given in ifTOll for the quality of Schnorr's semi-2A: reduction and for the transference reduction, 
we obtain the table of Figure [3l Each entry of the table gives the upper bound of the quantity ^^jj|^|i/d 
which is reachable for a computational effort of 2*, for t growing to infinity. To sum up, the mul- 
tiplicative exponent constant is divided by e « 2.7. The table upper bounds can be adapted to the 
quantity j^rp; by squaring them. 





Semi-2fe reduction 


Transference reduction 


Using Helfrich's complexity bound 




< 2 4 '""t"^' ~ 20-250 


Using the improved complexity bound 




< 2 4 ' ~ 20-092 * 



Fig. 3. Worst-case bounds for block-based reduction algorithms. 



Let us finish by mentioning that work under progress seems to show, by using a technique due to 
Ajtai IS, that our analyses are sharp, in the sense that for all e > 0, we can build HKZ-reduced bases 
for which the number of steps of Kannan's algorithm would be of the order of d'^^'^~^\ 

References 

1. E. Agrell, T. Eriksson, A. Vardy, and K. Zeger. Closest point search in lattices. IEEE Transactions on Information 
Theory, 48(8):2201-2214, 2002. 

2. M. Ajtai. The shortest vector problem in I2 is NP-hard for randomized reductions (extended abstract). In Proceedings 
of the 30th Symposium on the Theory of Computing (STOC 1998), pages 284-293. ACM Press, 1998. 

3. M. Ajtai. The -worst-case behavior of Schnorr's algorithm approximating the shortest nonzero vector in a lattice. In 
Proceedings of the 35th Symposium on the Theory of Computing (STOC 2003), pages 396-406. ACM Press, 2003. 



Improved Analysis of Kannan's Shortest Lattice Vector Algorithm 



15 



4. M. Ajtai and C. Dwork. A public-key cryptosystem with worst-case/average-case equivalence. In Proceedings of the 
29th Symposium on the Theory of Computing (STOC 1997), pages 284-293. ACM Press, 1997. 

5. M. Ajtai, R. Kumar, and D. Sivakumar. A sieve algorithm for the shortest lattice vector problem. In Proceedings of the 
33rd Symposium on the Theory of Computing (STOC 2001 ), pages 601-610. ACM Press, 2001. 

6. L. Babai. On Lovasz lattice reduction and the nearest lattice point problem. Combinatorica, 6:1-13, 1986. 

7. J. Bomer. Closest vectors, successive minima and dual-HKZ bases of lattices. In Proceedings of the 2000 International 
Colloquium on Automata, Languages and Programming (ICALP 2000), volume 1853 of Lecture Notes in Computer 
Science, pages 248-259. Springer- Verlag, 2000. 

8. D. Coppersmith and A. Shamir. Lattice attacks on NTRU. In Proceedings of Eurocrypt 1997, volume 1233 of Lecture 
Notes in Computer Science, pages 52-61. Springer- Verlag, 1997. 

9. U. Fincke and M. Pohst. A procedure for determining algebraic integers of given norm. In Proceedings of EUROCAL, 
volume 162 of Lecture Notes in Computer Science, pages 194-202, 1983. 

10. N. Gama, N. Howgrave-Graham, H. Koy, and P. Nguyen. Rankin's constant and blockwise lattice reduction. In 
Proceedings of Crypto 2006, number 4117 in Lecture Notes in Computer Science, pages 112-130. Springer- Verlag, 
2006. 

11. O. Goldreich, S. Goldwasser, and S. Halevi. Public-key cryptosystems from lattice reduction problems. In Proceedings 
of Crypto 1997, volume 1294 of Lecture Notes in Computer Science, pages 1 12-131. Springer- Verlag, 1997. 

12. I. Haviv and O. Regev. Tensor-based hardness of the shortest vector problem to within almost polynomial factors. 
Submitted. 

13. B. Helfrich. Algorithms to construct Minkowski reduced and Hermite reduced lattice bases. Theoretical Computer 
Science, 41:125-139, 1985. 

14. C. Hermite. Extraits de lettres de M. Hermite a M. Jacobi sur differents objets de la theorie des nombres, deuxieme 
lettre. Journal fUr die reine und angewandte Mathematik, 40:279-290, 1850. 

15. J. Hoffstein, J. Pipher, and J. H. Silverman. NTRU: a ring based public key cryptosystem. In Proceedings of the 
3rd Algorithmic Number Theory Symposium (ANTS III), volume 1423 of Lecture Notes in Computer Science, pages 
267-288. Springer- Verlag, 1998. 

16. R. Kannan. Improved algorithms for integer programming and related lattice problems. In Proceedings of the 15th 
Symposium on the Theory of Computing (STOC 1983), pages 99-108. ACM Press, 1983. 

17. A. K. Lenstra, H. W. Lenstra, Jr., and L. Lovasz. Factoring polynomials with rational coefficients. Mathematische 
Annalen, 261:513-534, 1982. 

18. J. Martinet. Perfect Lattices in Euclidean Spaces. Springer- Verlag, 2002. 

19. J. Mazo and A. Odlyzko. Lattice points in high-dimensional spheres, 1990. 

20. D. Micciancio and S. Goldwasser. Complexity of lattice problems: a cryptographic perspective. Kluwer Academic 
Press, 2002. 

21. H.Minkowski. Geometrie der Zahlen. Teubner- Verlag, 1896. 

22. O. Regev. Lecture notes of lattices in computer science, taught at the Computer Science Tel Aviv University. Available 
at http : // www .cs.tau.il/~odedr 

23. C. P. Schnorr. A hierarchy of polynomial lattice basis reduction algorithms. Theoretical Computer Science, 53:201- 
224, 1987. 

24. C. P. Schnorr and M. Euchner. Lattice basis reduction: improved practical algorithms and solving subset sum problems. 
Mathematics of Programming, 66:181-199, 1994. 

25. V. Shoup. NTL, Number Theory C-l~l- Library. Available at |http : / / www . shoup . net / nt"T7| 



Proof of Lemma |2] 

We prove the result by induction on fc.For k = \, the bound easily follows from 7d < (d + 4)/4. 
Suppose now that the result holds for some k G [1, d — 2l|, and that we want to show that it holds 
for k+1. Notice that we can suppose that d>2>. Define Gd{k) = \ log dlog Then for any A > 0, 

G,ik + A) - G,ik) = -- log dlog > 

Taking A = 1, we see that Gd{k + 1) - Gd{k) > 
From the upper bound 7d < (d + 4)/4, we obtain: 

log m + 1) - logr,(^) = 2 ^3131 ^ 2 d-k-1 ■ 
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Now, since the sequence ( "^°g(^'^+'^)/^) J is increasing, we have: 



n>2 

(d-mog((.-. + 4)/4) ^^ 

a — k — 1 a — 2 

^ , {d-l)log{{d + 3)/A)-{d-2)logd 
= logd+ j—^ 

< log d, 

since the last term is a decreasing function of d, which is negative for d = 3. □ 



Proof of Lemma |3] 

We have — log Y[i<t ^ — (l^S ^) ' Si<t ^« 3^- Now, note that the function x x log a; is 

convex on [0, +ooy. This means that for any t > 1, for any ai, . . . , > 0, and for any Ai, . . . , At G 
[0, 1] such that J2i<t ~ ^' have: 

^Ajajlogaj > ^AiOj 1 log ^AjCj 

i<t \i<t / \i<t 

In particular, for ^^'^ (after multiplication by X]i<t '^«)' 

-iogn^~''^'°'* > (log 5) • (y.^] log 



T.i<tdi ) ' 

which is exactly - log 6 ^ □ 



i<t \ i<t 



Proof of Lemma 31 

Proof. We start with the first identity. We prove it by induction on k. For k = 1, this is Minkowski's 
bound. Assume it to be true for a given k < d — 2. We are to prove that it holds for A; + 1 instead 
of k. By applying Minkowski's bound to the {d — A;) -dimensional HKZ-reduced basis . . . ,b*^, 
we have: 

d-k 

We can rewrite our induction hypothesis as 
or, again, as 

This gives, by using Equation ([3]): 

fc + 1 ^ d fc + l d fj -i\/7 
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By raising this last identity to the power we get 

d 

which, by induction, yields the first inequality. 

The second inequality follows easily from the first one. Indeed, it suffices to raise the first one 

/ \ (d—k) Id / \k 

to the power k/d, multiply both sides by (vrp_(_i^|j , and use the identity detL = (vr[i^,jj • 

/ \ d— k 

Proof of Lemma HI 

First notice that, as a consequence of LemmalU we have, for k, I integers, 1 < k < I < d, 

7rp+i,d| > Fd-kil - k)~^ ■ TTik+i,dl- (4) 

Recall that: 

T^[xi,d] = {Hl^i\,d})^' • (^iL^-ij+i,di)^ ^[^2,d] = {Hl^2\,d})^^ ■ {HV^2\+iAf ' 

with \i = C-^- [x,\^A){i~x,+[x,\) ■ ^ 2}. Notice that since xi < X2, either [xij + 1 < [X2J , or 
[xij = [x2\ ■ In the last case, since the function x ^ {u — x)/{v — x) is decreasing when u < v and 
for x < n, we must have A2 < Ai. 

We split the proof in several cases, depending on the respective values of Ai and A2. 

First case: Ai < A2. In that case, we have [xi\ + 1 < [^2] . We define 

G := r,_L,^j+i(Lx2j - LxiJ)'i • r,_^x,i{[x2\ - L^iJ - 1)'^-'^ • r,_^x,i{[x2\ - [xi\)''^\ 

By using three times Equation dUl, we get: 



■^[X2,d] = 



I \1 — A2 

lLx2j,d]j • \H\x.,\+\,d\) 



> ■ ['^llx2\A) • [Hl^2\+iA) 

Now, Lemma HI gives that 

log G ^ , , d — Ixi I + 1 ,^ ^ , , d — \ xi\ ,^ ^ , , d — I xi I 
log \jd d- [X2J +1 a - [2^2] +1 d- [X2J 

which, by concavity of the function x 1— > log x, is at most the logarithm of 

T?i \ \ ^- + 1 , , d-JxiJ d- [xij 
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To complete the proof of this first case, it suffices to prove that E{xi,X2) < fracd — xid — X2. We 
have 



d - [x2\ +1 d- X2 + I 

d — xi ^ Ai 1 — frac(xi) X2 — xi 



d-X2 d-[x2\+l d-X2 + l {d - X2){d - X2 + I) 

d-xi 1 / n f / \^ ^2 - 2;i 

^ 1 — — + 1 — Z—-^ Ai - (1 - frac(xi)) 



d — X2 d — X2 + IV d — X2 

d — xi ^ 1 (1 — frac(xi))frac(xi) X2 — xi 



< 



d — X2 d — X2 + 1 \ d — xi + 1 d — X2 

d — xi 1 /I — frac(xi) X2 — xi 



d — X2 d — X2 + 1 \ d — X2 d — X2 



from which the result follows at once, since [xij < [X2J implies that X2 — xi = [X2J — [xij + 
frac(x2) — frac(xi) > 1 — frac(xi). 

Second case: Ai > A2. Similarly, defining 

i/ = r,„L.,j+i(M - [xi\)'' ■ ra-i.,i+ii[x2\ - M +1)^^-"^ •r,_L,,j(Lx2j - 

we obtain 

Lemma HI gives us that: 

log if d—\x-\\+l d— , d—\x-\\ 

-^<A2log ^ +(Ai-A2)log +(l-Ai)log \'\ . 

log Vd d- 1x2} +1 d- 1x2} d - 1x2} 

By concavity of the function x ^ log x, the right hand side is at most the logarithm of 

d-\xi\+l d-[xi\+l . .d-[xi\ 

^'d-[x2\+l + " d-[x2\ + " ^'^d^ 

= E{xi,X2)+ "^^ 



{d- [X2\){d-lx2\+l)' 

Hence, we just need to prove that: 

E ix,,X2) := Eixux2) + < 

Some elementary calculus provides the equalities: 

, d — xi Ai 1— frac(x2) 1 — frac(3;i) X2 — xi 

E {xi,X2) = -, V 



d-X2 d- [X2J {d - \x2\){d - X2 ^ \) d - X2 + 1 {d - X2){d - X2 ^ \) 
d — x\^ \\ 1 — frac(xi) 1 — frac(x2) ^2 — [xij — 1 



d-X2 d-\_X2\ d-X2 (d - [x2j)((i - a;2 + 1) (d - X2)((i - X2 + 1) 
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Second case, first sub-case: Ai > A2, [xij < [X2J . In that case, 

, d-xi frac(xi)) 1 - frac(x2) 

\Xi,X2) — S 



d — X2 d — X2 {d - [X2\){d — X2 + I) {d ~ X2){d — X2 + 1) 

^ 1 — frac(xi) 1 



{d ~ X2)id - xi + 1) {d - X2){d - X2 + 1) 
< 



Second case, second sub-case: Ai > A2, [xij = [0:2] . In that case, after some rewriting which can 
be checked with one's favourite computer algebra system, one finds that: 

, d-xi 1 /(I -frac(a;i))(a;i -a;2)((i- [3^2]) frac(x2)(Ai - A2; 

{Xi,X2) — 



d — X2 {d— [xi\ ){d — X2) \ d — Xi + 1 d — [xi\ + 1 

< 0. 

□ 
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